Website defacement: final details.
==================================

Last updated: 3rd January 2014

On Sun 29th December 2013 at around 1am GMT the home page of
www.openssl.org was defaced.  We restored the home page just after 3am
GMT and started forensics, investigation, and recovery.

The OpenSSL server is a virtual server which shares a hypervisor with
other customers of the same ISP.  Our investigation found that the
attack was made through insecure passwords at the hosting provider,
leading to control of the hypervisor management console, which then
was used to manipulate our virtual server.

The source repositories were audited and they were not affected.

Other than the modification to the index.html page no changes to the
website were made.  No vulnerability in the OS or OpenSSL applications
was used to perform this defacement.

Steps have been taken to protect against this means of attack in
future.